Disable Remote Desktop capabillity

This topic contains 7 replies, has 4 voices, and was last updated by  Sam Boutros 1 year, 2 months ago.

  • Author
  • #66193

    Brian Clanton

    Can someone direct me to a sample script on how to disable a clients remote desktop capability. Basically I am looking at the equivalent to disabling an entire OU of users that have the 'Deny this user permissions to logon on to Remote Desktop Session Host Server' from within the Active Directory Remote Desktop Services Profile Properties.

    AD server is running PS version 5.

  • #66201

    Albert van Boerum

    Hi Brian,

    By default you have to enable users to use an RDS server. Can you give me some more detail about your situation?
    With this information I would say, just make a group with the users that need to have access to your RDS servers and give this group access.


  • #66207

    Graham Beer

    Hi Brian,

    I've written you a script that will do this. You can enable or disable Terminal Services through WMI.

    function Set-TerminalServices {
        param (
                Position = 0)]
        begin {
            # Convert True or False from string to Boolean value
            $boolValue = [System.Convert]::ToBoolean($EnableTerminalServices)
        Process {
            # foreach computer set value to either 'True' or 'False' for either enable for disable 
            foreach ($computer in $ComputerName){
                (Get-WmiObject -namespace 'root\CIMV2\TerminalServices' `
                    -class Win32_Terminal `
                    -ComputerName $computer).Enable($boolValue) | foreach {
                    #Check for a return code of '0' for success    
                    if(($_.ReturnValue) -eq [uint32]0) {
                        "{0} : {1} = {2}" -f $Computer, "Terminal Services Status", 
                            $(if ($EnableTerminalServices -eq $true) {"Enabled"} else { "Disabled"})
                    else {
                        "{0} : {1}" -f $Computer, "[Error] Failed to update Terminal Service value"
        end{} # add for completeness

    The script will allow you to pass computers to the pipeline and allow you to either enable or disable the Terminal Service.

    'PC12345','Localhost' | Set-TerminalServices -Enable True
    PC12345 : Terminal Services Status = Enabled
    Localhost : Terminal Services Status = Enabled


    'PC12345','Localhost' | Set-TerminalServices -Enable false
    PC12345 : Terminal Services Status = Disabled
    Localhost : Terminal Services Status = Disabled

    Hope that helps.

  • #66276

    Brian Clanton

    We run a hosted terminal server environment where a majority of the clients who have hosted applications, use remote capability either through RDP or Citrix to our terminal servers. However, a small portion of our users are email only and 'should' have remote capability turned off (shut off within Active Directory Remote Desktop Services Profile).

    If I specify a client that is email hosted only, I want my script to iterate through all users within that OU to check this 'Deny' setting and check it if it is not checked.

    I have experimented with a single account and I can get the status of the setting, but I am having trouble with the 'set' statement syntax.
    However, I feel like I am taking the long way around since examples I have seen manipulate *TS* properties but I don't seem to have access to them as when I run the command get-aduser -identity bclanton | get-member.

    $bclanton = get-aduser -Identity bclanton -Properties DistinguishedName
    $bclantonDN = $bclanton | select -ExcludeProperty DistinguishedName
    $bclantonUser = [adsi]"LDAP://$bclantonDN"
    if (($bclantonUser.psbase.invokeget("AllowLogon")) -eq "1")
        Write-Output "Set to 1"
        Write-Output "Set to 0"
  • #66277

    Sam Boutros

    Run one region at a time as needed, not the whole script. Edit region Input to enter your OU info..

    #region Input
    $OUName = [adsi]'LDAP://ou=PACRIM,dc=mydomain,dc=com'
    #region View Terminal Services 'AllowLogon' of AD users in 'OUName'
    $ADUsers = $OUName.psbase.get_children() # Get all users in the OU 
    $myOutput = foreach ($ADUser in $ADUsers) {
        New-Object -TypeName PSObject -Property @{
            DN           = $ADUser.distinguishedName | select -First 1
            TSAllowLogon = ($ADUser.AllowLogon -eq 1)
        } | Select DN, TSAllowLogon 
    $myOutput| FT -a  
    #region Disable Terminal Services 'AllowLogon' for AD users in 'OUName'
    foreach ($ADUser in $ADUsers) {
    #region Enable Terminal Services 'AllowLogon' for AD users in 'OUName'
    foreach ($ADUser in $ADUsers) {
  • #66286

    Brian Clanton

    The 'setinfo()' method was my missing link.

    After you created the new list of objects in the command:

    $ADUsers = $OUName.psbase.get_children() 

    How is one made aware of the 'setinfo()' method? In my example, I pipe the object

    $bclanton.psbase | Get-Member

    and I do not see this method.

    • #66754

      Brian Clanton

      ONly issue with the above example is that it doesn't pull just User accounts but group accounts as well.

      $ADUsers = $OUName.psbase.get_children()

      [w2k8-dc2]: PS C:\Users\administrator.XXXX\Documents> $adusers
      distinguishedName : {CN=Group-tptest,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=Group-tptest,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      distinguishedName : {CN=tptest1,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest1,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      distinguishedName : {CN=tptest2,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest2,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      distinguishedName : {CN=tptest3,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest3,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      distinguishedName : {CN=tptest4,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest4,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      distinguishedName : {CN=tptest6,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest6,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      distinguishedName : {CN=tptest7,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest7,ou=TPTest,ou=hosted,dc=XXXX,dc=local
      distinguishedName : {CN=tptest8,OU=TPTest,OU=Hosted,DC=XXXX,DC=local}
      Path              : LDAP://CN=tptest8,ou=TPTest,ou=hosted,dc=XXXX,dc=local
    • #66819

      Sam Boutros
      $ADUsers = $ADUsers | where { $_.Path -notmatch 'group' } # excludes group accounts

You must be logged in to reply to this topic.